A Fresh Look at Application Security

Application security is not keeping pace with evolving attacks, says Prasenjit Saha, a CEO of infrastructure management services and security business at Happiest Minds Technologies Pvt. Ltd., a Bengaluru-based IT Services Company. One problem: lack of a standard, secure coding process in the application development life cycle.

"Most often, the architecture design team, developer team and security team don't align at the concept stage," Saha says.

Instead, security teams tend to get involved at the conclusion stage for the vulnerability test, resulting in fire-fighting with no great output on application design and security. "A strong integration of these groups at the design stage will combat sophisticated threats," Saha maintains.

In an interview with Information Security Media Group (transcript below), Saha discusses application security challenges of CISOs and reasons for not detecting threats in advance. He throws light on the security shortcomings of the software application development life cycle process and also discusses:

Skills needed for detecting threats early;

How and why coders become easy targets for attackers;

Mitigating risks from emerging technologies.

Saha is the CEO of the infrastructure management services and security business of Happiest Minds Technologies Pvt. Ltd., an IT Services Company focused on enabling digital transformation for customers through technologies including mobility, big data analytics, security, cloud computing, social computing, M2M/IoT, unified communications, etc. Previously, he worked as vice president, SBU/profit center head for the Enterprise Solution division of Wipro Technologies.

AppSec Not Aligned With Threats

PRASENJIT SAHA: In enterprises, the architecture design, developer and security teams do not align at the concept stage. Security teams are always involved at the conclusion stage for the vulnerability test, resulting in fire-fighting with no great output. Security issues crop up during testing, but the developer community will be unable to carry out remediation due to time pressure and complexity of architecture and programs. An integration of these groups at the design stage will combat sophisticated threats.

Key Challenge for CISOs

NANDIKOTKUR: So, what's the key challenge for CISOs? How do they bridge the gap?

SAHA: Most often, critical issues of the program cannot be addressed, as there is no coordination or skills available. Finding a specialist team with an overall understanding of the entire application development life cycle process, security aspects and design aspects is a challenge. All teams are allowed to work in silos. All these pose great challenges to CISOs.

The reason is the application security market is just going through the maturing curve and will take a while to meet business requirements.

Take programs like J2E, .Net, ASP.Net, ActiveX controls etc., rolled out in 2002. They took almost six years to stabilize, place security controls and identify gaps. The new applications will undergo that phase. However, the stabilizing time can be condensed by involving security teams early.

Regarding skill development and bridging gaps between teams, security teams must be clued in to the life cycle process and allowed to fix vulnerabilities on a day-to-day basis on the black box and white box testing. Development teams are always under pressure of time and cost.

Security teams are equally under pressure. There are always bandwidth challenges. All teams should follow a secure agile phenomenon during the development stage. It is about self-learning to fix issues that crop up.

The Vulnerabilities

NANDIKOTKUR: It's said that attackers love coders. Where's the loophole, and where are the vulnerabilities?

SAHA: There are three areas where developers can go wrong:

Firstly, the developer and architecture teams ignore standard principles of the coding process. Following 14 different Do's and Don'ts eliminates over 80 percent errors.

Developers fail to anticipate a zero-day attack, thus failing to fix vulnerabilities. Attackers easily exploit this. This is when the security practitioner's view is required for guidance about secure coding standards

There's a lack of a far-sighted approach among developers in understanding the deployment of the architecture and pre-empting the use of the applications in various environments and embedding appropriate secure codes.

Threat Mitigation Techniques

NANDIKOTKUR: What, then, are the ways to mitigate risks due to unknown threats and new technologies?

SAHA: Today's world is driven by social media, mobility, analytics and cloud, combined with multi-channel communication such as data, voice and video, influenced by digital transformation. This is going borderless. The industry is witnessing the evolution of Internet of Things, M2M and smart cities that are throwing security challenges as they demand new codes which are secure. Evolution of concepts like edge intelligence, where the intelligence shifts to the edge, as apps come to the data at a much larger scale, machine-to-machine, with little or no human interface or intervention, the crowd sourcing model -obtaining needed services, ideas or content from a large group of people, especially from an online community rather than from traditional employees or suppliers - [these] are throwing up newer risks.

Some elements which can help mitigate risks:

Enterprises can look at security as a service (SaaS) platform to be vigilant about threats and pre-empt them.

Security auditing is recommended to detect threats, place controls and recommend tools to mitigate risk.

Security teams should understand the business context and build capabilities to detect and respond to any threats that impact business applications (including packaged apps, Web apps and custom apps).

Traditional security tools do not have the integration and inspection capabilities for business contexts (though they can still carry out traffic inspection for protocol level anomalies and code level anomalies). To extract and use the information relevant to security, a separate intelligence engine is required. This should have the ability to look at transactions logs and audit logs to determine fraudulent activities and anomalous patterns and correlate this information with other layers to identify relevant threats and attacks.

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;